5.3 Security Characteristics

5.3.1 Identification and Authentication

This product uses XTier to authenticate users via user identity information stored in eDirectory and resource authorization and access control provided by eDirectory. The product takes a user name and password supplied directly by the user and transfers that information to XTier for use within its supported authentication mechanisms (via XTier’s plug-in authentication module architecture). If configured to do so, this product authenticates (using PAM NAM (Linux User Management)) to eDirectory through SSL and LDAP Simple Bind Protocol.

This product does not itself authenticate to another product, system or service. No portion of this product authenticates to another.

5.3.2 Authorization and Access Control

This product allows the protections supplied by eDirectory for access control to be fully realized for those resources that are contained within eDirectory. Access to resources is protected based on user identity (as stored within eDirectory). The VFS, daemon, and XTier work together to compare ACLs for a given file system path or object retrieved from eDirectory to the identity and session scope established for the identity that owns a given connection.

The VFS acts as a proxy to the local file system (via redirection of its local mount point) to make such decisions for network-based file system paths or objects.

5.3.3 Roles

This product does not define or manage roles. It simply makes use of roles that have already been defined elsewhere and treats role access privileges in the same way as any user identity.

Because the product has a VFS module running in the kernel, it does not require root access for users to create mount points (as do NCPFS and other similar open source offerings to date). The product does not require use of SETUID for any of its operations.